Merge branch 'master' of github.com:rubysec/ruby-advisory-db

Author: mveytsman

README.md

@@ -13,6 +13,7 @@ the advisories [CVE] identifier number.
       rails/:
         2012-1098.yml  2012-2660.yml  2012-2661.yml  2012-3463.yml
 
+If an advisory does not yet have a [CVE], [requesting a CVE][1] is easy.
 ## Format
 
 Each advisory file contains the advisory information in [YAML] format:
@@ -50,11 +51,6 @@ Each advisory file contains the advisory information in [YAML] format:
 * `patched_versions` \[Array\<String\>\]: The version requirements for the
   patched versions of the Ruby library.
 
-## Obtaining a CVE
-
-If you have prepared an advisory but do not have a CVE, simply email
-[[email protected]](mailto:[email protected]).
-
 ## Credits
 
 * [Postmodern](https://github.com/postmodern/)
@@ -64,3 +60,5 @@ If you have prepared an advisory but do not have a CVE, simply email
 [CVE]: http://cve.mitre.org/
 [CVSSv2]: http://www.first.org/cvss/cvss-guide.html
 [YAML]: http://www.yaml.org/
+
+[1]: http://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html

gems/devise/2013-0233.yml

@@ -0,0 +1,19 @@
+---
+gem: devise
+cve: 2013-0233
+url: http://osvdb.org/show/osvdb/89642
+title: |
+  Devise Database Type Conversion Crafted Request Parsing Security Bypass
+
+description: |
+  Devise contains a flaw that is triggered during when a type conversion error
+  occurs during the parsing of a malformed request. With a specially crafted
+  request, a remote attacker can bypass security restrictions.
+
+cvss_v2: 10.0
+
+patched_versions:
+  - ~> 1.5.4
+  - ~> 2.0.5
+  - ~> 2.1.3
+  - ">= 2.2.3"

gems/gtk2/2007-6183.yml

@@ -0,0 +1,18 @@
+---
+gem: gtk2
+cve: 2007-6183
+url: http://osvdb.org/show/osvdb/40774
+title: |
+  Ruby-GNOME2 gtk/src/rbgtkmessagedialog.c Gtk::MessageDialog.new() Function
+  Format String 
+
+description: |
+  Format string vulnerability in the mdiag_initialize function in
+  gtk/src/rbgtkmessagedialog.c in Ruby-GNOME 2 (aka Ruby/Gnome2) 0.16.0, and
+  SVN versions before 20071127, allows context-dependent attackers to execute
+  arbitrary code via format string specifiers in the message parameter.
+
+cvss_v2: 6.8
+
+patched_versions:
+  - "> 0.16.0"

gems/multi_xml/2013-0175.yml

@@ -0,0 +1,15 @@
+---
+gem: multi_xml
+cve: 2013-0175
+url: http://osvdb.org/show/osvdb/89148
+title: |
+  multi_xml Gem for Ruby XML Parameter Parsing Remote Command Execution 
+
+description: |
+  The multi_xml Gem for Ruby contains a flaw that is triggered when an error
+  occurs during the parsing of the 'XML' parameter. With a crafted request
+  containing arbitrary symbol and yaml types, a remote attacker can execute
+  arbitrary commands.
+
+patched_versions:
+  - ">= 0.5.2"

gems/rdoc/2013-0256.yml

@@ -0,0 +1,18 @@
+---
+gem: rdoc
+cve: 2013-0256
+url: http://www.osvdb.org/show/osvdb/90004
+title: RDoc 2.3.0 through 3.12 XSS Exploit
+description: |
+  Doc documentation generated by rdoc 2.3.0 through rdoc 3.12 and prereleases up to rdoc 4.0.0.preview2.1 are vulnerable to an XSS exploit. This exploit may lead to cookie disclosure to third parties.
+
+  The exploit exists in darkfish.js which is copied from the RDoc install location to the generated documentation.
+
+  RDoc is a static documentation generation tool. Patching the library itself is insufficient to correct this exploit.
+
+  This exploit was discovered by Evgeny Ermakov <[email protected]>.
+cvss_v2: 4.3
+patched_versions:
+- ~> 3.9.5
+- ~> 3.12.1
+- ">= 4.0"